Dealing with data – The 'burden-less' business?

Sara Kelly of COADEC reviews Viviane Reding's latest proposals for EU Data Protection reform

By Sara Kelly on Jan 26, 2012. Comments (0)

Viviane Reding. EU Social @Flickr. CC BY-NC-SA 2.0 licence

“Businesses will now be burden-less under these reforms”, announced Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, during the launch yesterday of reforms to the EU's 1995 data protection rules aimed at strengthening online privacy rights.

Leaked drafts of the directive have been circulating since December, and many of today's announcements were trailed in Reding’s speech to the Digital Life Design (DLD) conference in Munich last weekend. Key changes confirmed today include a single set of rules on data protection, the requirement of reporting data breaches within 24 hours, the requirement of explicit consent, and possibly most controversially, the “right to be forgotten”.

Amid reports ahead of the announcement of the burden of complicated procedures of data protection, Reding used her address today to highlight the burden on businesses in complying with 27 different data protection requirements across the EU. This has limited the ability of many businesses to operate services that deal with data in multiple countries, so harmonisation of these codes will be welcome by businesses of all sizes as a way of saving time and money. Moreover, the directive’s proposed exemption for companies with fewer than 250 employees from the requirement to have a data protection officer shows that the Commission is conscious of the particular challenges that small businesses face in complying with these types of rules.

That said, it is not at all clear that the new directive will eliminate burdens for small businesses, and indeed there appears to be significant potential to increase them. This is especially true on two fronts:

• The “right to be forgotten” principle has a very real danger of being misused, in a way that particularly affects the owners of small social websites that rely on content from users. The directive as it stands outlines that the only way a user will not be able to remove their data is when this relates to a criminal investigation. The “right to be forgotten” could easily become “the right to take content and sell it for more money when I think it might have more value than when I originally gave you the right to use it”.

• Meanwhile, the heavy fines proposed for non-compliance may fall disproportionately on smaller enterprises, and it is possible that an inadvertent error may be enough to put one out of business

Addressing issues of data security is of course vital, but it must be balanced against the very legitimate uses of data employed by innovative businesses—most notable, social networks. Globally we have increasingly enjoyed the liquidity of information that the Internet provides. A picture shared or a blog posted can reach a wider audience than ever before, and that has bought with it incredible opportunities for those wishing to share their content and those designing platforms to do this. 

The proposed directive will now be passed on to the European Parliament the Council of Ministers for discussion. We hope that these discussions will flesh out some of the details this directive desperately requires to ensure that the removal of one burden does not in turn lead to the creation of new ones, especially where the result would be detrimental to small, innovative businesses.

Sara Kelly is Policy and Development Manager for COADEC, The Coalition for a Digital Economy. COADEC works to support legislation and other government policies that foster a lasting, sustainable and innovative digital economy for Britain.

Read more Comments (0)

Teaching our kids to code

An overhaul of ICT in schools is badly needed, argues Milena Popova, but Gove's proposals are not quite right yet

By Milena Popova on Jan 13, 2012. Comments (0)

CC BY-NC-SA 2.0@vanberto

Could it be that the Teach our kids to code e-petition is the smallest successful e-petition in UK politics? It would certainly seem so, after this week's news that Michael Gove wants to replace the current ICT school curriculum with a Computer Science programme. I do not often (ever?) agree with the Education Secretary, but today's announcement is definitely a step in the right direction.

In his speech at the BETT show this week, Gove correctly identifies technology as a key driving force and change agent in our society. Yet there is also an increasing trend for our gadgets to be black boxes to us; we do not understand how they work, we do not understand either their potential or the dangers they bring with them, and therefore we are not in control. Our gadgets, our technological inventions, control us. Such control extends from Sony and Apple telling us what we can and can't do with the hardware we have purchased from them to technology lobbyists taking advantage of our politicians' ignorance to sell them the next technological panacea. If we are to regain control of our technology, technical literacy is vital, and fostering it from an early age is clearly the best way forward.

There are other good reasons why learning to code can be beneficial both for our children and for society as a whole. @pozorvlak for instance argues that learning the way of thinking involved in programming and learning some basic programming skills has a huge potential to revolutionise productivity. Creating what he calls the "mass-algorate society", where everyone has basic coding skills, would be comparable to the move to a mass-literate society. No longer will there be a select few who understand technology - we all will be able to unleash its power.

For all that, though, what Michael Gove is actually proposing is far from being unmitigated good news. There are a number of issues to be addressed if this idea is to succeed. Gove argues that swift change is required, that technology moves so quickly that we cannot afford to spend four years creating a new ICT national curriculum which by the time it becomes operational will be obsolete. To an extent, he has a point. Yet what he is proposing will essentially allow schools to teach what they like, how they like in the area of ICT and Computer Science. From September, teachers will be left to their own devices to scour the web for materials, create their own, or work with businesses and universities to create courses. While for a small number of passionate, skilled teachers this may be heaven, I suspect the vast majority will find themselves lost and either stick to the existing curriculum or struggle to find material that is valuable and engaging at the right level. At least in the short term, I believe most pupils are likely to suffer as a result of the huge variance in quality of courses this approach is likely to generate. Looking ahead, universities may quickly find that a prospective student with a "Computer Science" qualification from one school has a completely different skill set to one from a different school. Clearly, some structure and rigour is called for here.

A related and potenially bigger issue is the lack of teachers with the right skills. Ian Livingstone, who co-authored the report this new policy is partially based on, claimed on the Today Programme that the British Computing Society has 1,000 teachers ready to go into schools and teach computing tomorrow. Yet that is barely enough to scratch the surface, and out of 28,000 newly-qualified teachers in 2010 only three had a Computer Science degree. This, too, needs to be addressed if Michael Gove's ambition to teach our kids to code is to succeed.

Involving businesses in the new Computer Science curriculum is a key cornerstone of Michael Gove's policy. The BCS is delighted. They proudly point at the Computing at School curriculum, already endorsed by both Google and Microsoft. Yet arguably a corporately sanctioned curriculum is as bad as one mandated by government after four years of deliberation. Already, the Computing at School curriculum asks questions such as "Is privacy even desirable?" Of course Google would approve.

If we want our children to become true, empowered citizens of the digital world, then any Computer Science curriculum taught in our schools needs to be based on Free Software. Our kids need to grow up with the four freedoms: to run their software in any way they choose, to study their software and modify it to suit their purposes, to share their software and improve upon it, sharing those improvements as well. Those four freedoms are conducive to teaching and learning, to writing great code, and to enabling everyone to tap into the power of technology. Anything else... is a gilded cage.

Read more Comments (0)

Blocking Newzbin

Newzbin is making legal history in the UK. Saskia Walzel looks at the 2010 High Court decision which found Newzbin guilty of copyright infringement.

By Saskia Walzel on Oct 14, 2011. Comments (0)

CC BY-NC-ND 2.0@Si McMahon

Very recently the Government floated the possibility of a “cross-industry body... to be charged with identifying infringing websites against which action could be taken”. Copyright owners believe the ongoing Newzbin case provides the necessary legal basis for an industry body to decide which websites ISPs should block. Many websites technically enable users to infringe copyright, especially those who host user-generated content. Under the host principles, established in the Electronic Commerce (EC Directive) Regulations 2002 they have to respond to notice and take down request by copyright owners. Though just because users infringe copyright does not mean that the website itself is infringing copyright.

Newzbin, relatively obscure before it was taken to court in the UK by the Hollywood studios, is a Usenet indexing subscription service. In its various incarnations Newzbin made legal headlines this year when the High Court for the first time granted a blocking injunction under section 97A of the Copyright, Designs and Patents Act 1988 (CDPA). Before that, in March 2010 Newzbin became the first “filesharing service” found to infringe copyright in the UK.

Like the Pirate Bay, Newzbin advanced the “we’re just like Google defence”, focusing on the fact that Newzbin, much like a search engine, does not make infringing copies or communicate them to the public. While users may infringe copyright the service itself does not, it is argued, perform any of the acts restricted by copyright.

However, under section 16(2) of the CDPA it is also an infringement of copyright to “authorises” others to do any of the acts restricted by copyright. In Twentieth Century Fox v Newzbin [2010] the High Court ruled that the way Newzbin was set up and operated by its administrator, and the way the administrator behaved, amounted to de-facto authorising the infringement by its member.

According to Mr Justice Kitchin “a reasonable member would deduce from the defendant's activities that it purports to possess the authority to grant any required permission to copy any film that a member may choose from the Movies category on Newzbin and that the defendant has sanctioned, approved and countenanced the copying of the claimants' films, including each of the films specifically relied upon in these proceedings.” In deciding that Newzbin had infringed copyright the High Court relied on CBS Songs v Amstrad [1988], which has become the defining case law on authorising infringement.

In 1988 the House of Lords found that Amstrad had not authorised infringement by users of its twin cassette deck, as alleged by the BPI and its members. It was ruled “that ‘authorise’ means the grant or purported grant of the right to do the act complained of. It does not extend to mere enablement, assistance or even encouragement.” The House of Lords rejected the argument that Amstrad had authorise infringement by technically enabling it and encouraging infringement by advertising that the cassette deck “now features 'hi-speed dubbing', enabling you to make duplicate recordings from one cassette to another, record direct from any source and then make a copy and you can even make a copy of your favourite cassette.”

In coming to the conclusion that Newzbin had authorised its users’ infringement the High Court considered what the Amstrad case established as relevant factors, namely: “the nature of the relationship between the alleged authoriser and the primary infringer, whether the equipment or other material supplied constitutes the means used to infringe, whether it is inevitable it will be used to infringe, the degree of control which the supplier retains and whether he has taken any steps to prevent infringement.”

The High Court concluded that the set-up of Newzbin, and the behaviour of its admin, amounted to authorising infringement to such an extent that Newzbin also has “procured and engaged with its premium members in a common design to copy the claimants' films”, and hence was also jointly liable for the infringement. Specifically, the site was “structured in such a way as to promote such infringement by guiding the premium members to infringing copies of their choice and then providing them with the means to download those infringing copies by using the NZB facility”, which the High Court identified as a crucial element of the website, and the administrator “further assisted its premium members to engage in infringement by giving advice through the sharing forums”.

Not really like Google then, or YouTube, or Wikipedia.... or like cyberlockers... maybe. It’s not like the movie and music studios only want the Pirate Bay blocked, they want an industry body akin to the Advertising Standards Authority to block a number of websites totalling the low hundreds.¹ With so little case law to go by it is difficult to foresee how an industry body would apply the Amstrad test on authorisation to the wide range of web services that technically allow users to infringe copyright. If the ongoing legal punch-up between copyright owners and cyberlockers in the US is anything to go by, “authorising” may end up meaning simply “anything we don’t like”. In the US movie and music studios are accusing cyberlockers of committing acts restricted by copyright, and for good measure, that they are “actively inducing” their users to infringe copyright.

The cases are currently playing out in court, to the backdrop of tense negotiations over whether remote storage services, call them cloud or cyberlocker, need to pay for a copyright licence to let users store their content. Ultimately copyright owners have a commercial incentive to cry “copyright infringement” whenever any new web service takes off, because a website is only liable to pay for a licence to copyright owners if they engage in acts restricted by copyright. Until the UK High Court has done the heavy lifting and established a robust body of case law, it is inconceivable that a non-judicial body should be allowed to decide which websites infringes copyright through authorisation. And once the case law has been established, it is questionable whether an industry body should be allowed to intervene in what are essentially commercial negotiations.

¹ “Site Blocking” to reduce online copyright infringement: A Review of section 17 and 18 of the Digital Economy Act, Ofcom, see pg.47

Read more Comments (0)

In the Club

Internet technology influences our lives in unexpected ways, as Wendy Grossman finds out to her surprise.

By Wendy M Grossman on Oct 07, 2011. Comments (0)

CC BY-NC-ND 2.0@Rakka

Sometime around noon on October 8, 2011 I will no longer be a car owner. This is no small thing: like many Americans I started dreaming about my own car when I was 13 and got my license at 16. I have owned a car almost continuously since January 1975. What makes this a suitable topic for net.wars is that without the Internet it wouldn't have happened.

Since 1995, online retailing has progressively removed the need to drive to shops. By now, almost everything I buy is either within a few minutes' walk or online. I can no longer remember the last time I was in a physical supermarket in the UK.

The advent in 2005 of London's technology-reliant congestion charge (number plate recognition, Internet payment) meant a load of Londoners found it convenient to take advantage of the free parking in my area. I don't know what goes on in the heads of people who resent looking down their formerly empty street and seeing some strange cars parked for the day, but they promptly demanded controlled parking zones, even on my street, where daytime parking has never been an issue but the restaurants clog it up from 7pm to midnight. The CPZ made that worse. Result: escalating paranoia about taking the car anywhere in case I couldn't park when I got back.

But the biggest factor is a viable alternative. Car clubs and car-sharing were newspaper stories for some years until earlier this year, while walking a different route to the tube station, I spotted a parking space marked "CAR CLUB ONLY". It turns out that within a few minutes' walk of my house are five or six Streetcars (merging with Zipcar).

For £60 a year I can rent one of these by the hour, including maintenance, insurance, tax, emergency breakdown service, congestion charge and, most important, its parking space. At £5.25 an hour it will take nearly 100 hours a year to match the base cost of car ownership – insurance, road tax, test, parking, AA membership, before maintenance. (There is no depreciation on a 24-year-old car!)

The viability of car clubs depends on the existence of both the Internet and mobile phone networks. Sharing expensive resources, even cars, is nothing new, but they would have relied on personal connections. The Internet is enabling sharing among strangers: you book via their Web site or mobile phone up to a few minutes before you want the car, and if necessary extend it by sending an SMS.

And so it was that about a month and a half ago it occurred to me that one day soon I would begin presiding over my well-loved car's slow march to scrap metal. How much should you spend on maintaining a car you hardly ever drive? If I sold it now, some other Nissan Prairie-obsessive could love it to death. A month later it passed its MOT for the cost of a replacement light bulb and promptly went up on eBay.

In journalism, they say one is a story, three is a trend. I am the second person on my street to sell their car and join the club in the last two months. The Liberal Democrat council that created the car club spaces can smirk over this: though some residents have complained in the local paper about the loss of parking for the car-owning public, the upshot will be less congestion overall.

The Internet is not going to kill the car industry, but it is going to reshape the pattern of distribution of car ownership among the population. Until now it's been a binary matter: you owned a car or you didn't. Most likely, the car industry will come out about even or a little ahead: some people who would have bought cars won't, some who wouldn't have bought cars will join a club, the clubs themselves will buy cars. City-dwellers have long been a poor market for car sales – lifelong Manhattanites often never learn how to drive – and today's teens are as likely to derive their feelings of freedom and independence from their mobile phones as from a car. The people who should feel threatened are probably local taxi drivers.

Nonetheless, removing the need to own a car to have quick access to one will remove a lot of excess capacity (as airlines would call it). What just-in-time manufacturing has done for companies like Dell and Wal-Mart, just-in-time ownership can now do for consumers: why have streets full of cars just sitting around all day?

To make it work, of course, consumers will have to defy decades of careful marketing designed to make them self-identify with particular brands and models (the car club cars are not beautiful Nissan Prairies but silly silver lozenges). Also, the club must keep its promise to provide a favorable member:car ratio, and the council must continue to allocate parking spaces.

Still, it's all in how you think about it. Membership in Zipcar in one location gives you access to the cars in all the rest. So instead of owning one car, I now have cars all over the world. Is that cool or what?

Read more Comments (0)

How much do you trust your GP?

The implications of the NHS Health Bill proposals may impact negatively on the use of personal data, Milena Popova writes.

By Milena Popova on Oct 05, 2011. Comments (0)

CC BY-NC-ND 2.0 (The Prime Minister's Office)

One such conflict that comes to mind is the news that a Yorkshire-based practice has been offering private treatment to some of their patients for procedures allegedly no longer covered on the NHS, using patient data acquired through their work for the NHS for direct marketing purposes for their private businesses.

There are many issues surrounding this case, especially over GP conduct. How accurate (or truthful) are the GPs' claims that these procedures are no longer covered on the NHS - is this a blanket decision or does it only cover particular PCTs? What are the exact regulations, either under the current set-up or under the new Bill, that apply to GPs offering private services to their patients? And most importantly from a digital rights point of view, in a case where a person performs one public function as part of the NHS and a private function in their own business, how should their access to patient data be regulated and limited in order to continue to ensure privacy and confidentiality? Questions about private providers’ potential access to the NHS Summary Care Record - the one part of the huge NHS IT project that has not been abandoned - should also be asked.

Data about our health is among the most private information we have. A breach of privacy in this area can be hugely damaging. It may impact negatively on our job prospects and lead to us being unable to obtain cover or treatment further down the line. Questions about the privacy of such information should be examined now, with any leaks and loopholes shut down before it’s too late.

Read more Comments (0)

Trust Exercise

Asking what parts of our identity ought to be revealed and what institutions are most deserving.

By Wendy M Grossman on Sep 30, 2011. Comments (0)

CC BY-NC 2.0@mermaid99

This article is cross-posted from Wendy M. Grossman's regular column net.wars.

When do we need our identity to be authenticated? Who should provide the service? Whom do we trust? And, to make it sustainable, what is the business model?

These questions have been debated ever since the early 1990s, when the Internet and the technology needed to enable the widespread use of strong cryptography arrived more or less simultaneously. Answering them is a genuinely hard problem (or it wouldn't be taking so long).

A key principle that emerged from the crypto-dominated discussions of the mid-1990s is that authentication mechanisms should be role-based and limited by "need to know"; information would be selectively unlocked and in the user's control. The policeman stopping my car at night needs to check my blood alcohol level and the validity of my driver's license, car registration, and insurance – but does not need to know where I live unless I'm in violation of one of those rules. Cryptography, properly deployed, can be used to protect my information, authenticate the policeman, and then authenticate the violation result that unlocks more data.

Today's stored-value cards – London's Oyster travel card, or Starbucks' payment/wifi cards – when used anonymously do capture some of what the crypto folks had in mind. But the crypto folks also imagined that anonymous digital cash or identification systems could be supported by selling standalone products people installed. This turned out to be wholly wrong: many tried, all failed. Which leads to today, where banks, telcos, and technology companies  are all trying to figure out who can win the pool by becoming the gatekeeper – our proxy. We want convenience, security, and privacy, probably in that order; they want security and market acceptance, also probably in that order.

The assumption is we'll need that proxy because large institutions – banks, governments, companies – are still hung up on identity. So although the question should be whom do we – consumers and citizens – trust, the question that ultimately matters is whom do *they* trust? We know they don't trust *us*. So will it be mobile phones, those handy devices in everyone's pockets that are online all the time? Banks? Technology companies? Google has launched Google Wallet, and Facebook has grand aspirations for its single sign-on.

This was exactly the question Barclaycard's Tom Gregory asked at this week's Centre for the Study of Financial Innovation round-table discussion (PDF). It was, of course, a trick, but he got the answer he wanted: out of banks, technology companies, and mobile network operators, most people picked banks. Immediate flashback.

The government representatives who attended Privacy International's 1997 Scrambling for Safety meeting assumed that people trusted banks and that therefore they should be the Trusted Third Parties providing key escrow. Brilliant! It was instantly clear that the people who attended those meetings didn't trust their banks as much as all that.

One key issue is that, as Simon Deane-Johns writes in his blog posting about the same event, “identity” is not a single, static thing; it is dynamic and shifts constantly as we add to the collection of behaviors and data representing it.

As long as we equate “identity” with “a person's name” we're in the same kind of trouble the travel security agencies are when they try to predict who will become a terrorist on a particular flight. Like the browser fingerprint, we are more uniquely identifiable by the collection of our behaviors than we are by our names, as detectives who search for missing persons know. The target changes his name, his jobs, his home, and his wife – but if his obsession is chasing after trout he's still got a fishing license. Even if a link between a Starbucks card and its holder's real-world name is never formed, the more data the card's use enters into the system the more clearly recognizable as an individual he will be. The exact tag really doesn't matter in terms of understanding his established identity.

"... the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by our own activity, on the fly, which is then useless and can be safely discarded”

What I like about Deane-Johns' idea is two things. First, it has potential as a way to make impersonation and identity fraud much harder. Second is that implicit in it is the possibility of two-way authentication, something we've clearly needed for years. Every large organization still behaves as though its identity is beyond question whereas we – consumers, citizens, employees – need to be thoroughly checked. Any identity infrastructure that is going to be robust in the future must be built on the understanding that with today's technology anyone and anything can be impersonated.

As an aside, it was remarkable how many people at this week's meeting were more concerned about having their Gmail accounts hacked than their bank accounts. My reasoning is that the stakes are higher: I'd rather lose my email reputation than my house.. Their reasoning is that the banking industry is more responsive to customer problems than technology companies. That truly represents a shift from 1997, when technology companies were smaller and more responsive.

More to come on these discussions...

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

Read more Comments (0)

The Lives of Others

Manijeh Khan looks at what is happening to Data Retention rules in the EU

By Manijeh Khan on Aug 19, 2011. Comments (2)

Photo by Michael Pujals CC BY-NC-SA 2.0

The Lives of Others is a poignant, Oscar-winning film by Florian Henckel von Donnersmarck, released in 2006, showing the extensive surveillance to which numerous East Germans were subjected at the hands of the Stasi. It is a chilling reminder of the terrible consequences of living in a police state. 

Ironically, in the same year, Europe passed a new law which has had a significant adverse impact on our right to privacy – namely the Data Retention Directive (the “Directive”). Despite such cautionary tales, the European Union has spent the last few years pushing ahead with implementation of the Directive.

Earlier this year, the EU Commission published an evaluation report on the Directive. The Commission conceded that the law required considerable fine-tuning, in terms of better harmonisation across the EU and the implementation of stronger safeguards to prevent misuse of data, but concluded that overall, data retention has proved to be a “valuable tool” in the fight against crime. That position has been strongly disputed by both European Data Rights (“EDRI”) and the European Data Protection Supervisor (“EDPS”).

Background to the Data Retention Directive

The Directive requires telephone and internet service providers (“telecoms providers”) to retain traffic, location and subscriber data from between six months and two years for the purpose of investigation, detection and prosecution of serious crime.

Data retention by telecoms providers existed well before the enactment of the Directive, except that it was voluntary and circumscribed by the E-Privacy law. Telecoms providers retained our mobile and internet traffic data for commercial reasons, such as billing, interconnection payments or marketing, but the information had to be deleted or made anonymous once it was no longer necessary as set out under the E-Privacy Directive (2002).

The limitations of this approach were that, since data retention was voluntary, there was no consistency in the manner in which information was retained. Web logs could have been kept anywhere from a few days to several months or not at all, depending on the particular policy of the ISP concerned. Moreover, the provisions of the E-privacy law meant that generally data could never be held for long durations. In a nutshell, under these circumstances, law enforcement authorities could not depend on the data being available for any substantial length of time or at all. 

In the wake of the London and Madrid bombings, stronger investigative measures were seen as essential to combat terrorism and the UK government led the charge for a system of mandatory data retention to be imposed on telecoms providers throughout the EU, with data being held on to for longer than the providers might otherwise have considered necessary for business purposes. The Data Retention Directive was implemented, despite fears that it would facilitate mass surveillance.


Criticism

The disquiet surrounding the Data Retention Directive has continued and not been quelled by the EU Commission’s evaluation report.

EDRi (the European Digital Rights group of which the Open Rights Group is a member) issued a shadow report sharply critical of the Commission’s stance in the evaluation. EDRi condemned the EU Commission for failing to produce sufficient evidence demonstrating that data retention is necessary for the investigation of crime. In picking apart the statistics and arguments relied on by the Commission to support data retention, EDRI made the following observations:

• The Commission relied exclusively on information provided by Member States and failed to conduct any independent research into the need for mandatory data retention.

• The Commission failed to procure relevant and reliable data from Member States; for example, nine out of ten court judgements submitted by the Dutch Ministry of Justice to the Commission relate to crimes committed long before the Directive was implemented.

• The Commission failed to seek any information from those Member States that had not implemented the Directive.

• Data used to investigate the Madrid bombings was available in the absence of any data retention legislation.

• An independent study commissioned by the German government found that in 2005, only 4% of requests could not be (fully) served for a lack of retained data (Max Planck Institute for Foreign and International Criminal Law). The German Federal Crime Agency (BKA) found that in 2010 only 0.01% of criminal investigation procedures were potentially affected by a lack of traffic data.

• On the other hand, where traffic and location data was retained, a recent study, the Scientific Services of the German Parliament shows that: “[i]n most states crime clearance rates have not changed significantly between 2005 and 2010. Only in Latvia did the crime clearance rate rise significantly in 2007. This is related to a new Criminal Procedure Law though and is not reported to be connected to the transposition of the EU Data Retention Directive.”

• The efficacy of data retention was also disputed on the basis that circumvention is possible through the following means: anonymisation tools (such as proxy servers or VPN), prepaid anonymous SIM cards, telecom providers that are not subject to the Directive and cyber cafes.

Peter Hustinx, the European Data Protection Supervisor (“EDPS”) has also criticised the Commission’s report for the lack of credible evidence supporting the need for data retention: “Interesting examples of its use have been provided, however, there are simply too many shortcomings in the information presented in the report to allow general conclusions on the necessity of the instrument [i.e. the Data Retention Directive].”

What’s the risk?

It is essential that we remain vigilant in protecting our data and ensuring that our privacy is breached only in extreme circumstances, where it is absolutely necessary.  The dangers have been highlighted by EDRI, who refer to a booklet entitled “There is No Secure Data” prepared by the German Working Group on Data Retention, which describes several alarming cases of misuse of data, as follows:

• German telecommunications giant, Deutsche Telekom, illegally used telecommunications traffic and location data to spy on about 60 individuals including critical journalists, managers and union leaders in an attempt to track down leaks. The company used its own data pool, as well as that belonging to a domestic competitor and a foreign company, respectively.

• In Poland, retained telecommunications traffic and subscriber data was used in 2005-2007 by two major intelligence agencies to illegally disclose journalistic sources without any judicial oversight.

There are other well-known examples of how data in the wrong hands can be abused and many of these, like The Lives of Others, have been important enough to be captured on celluloid.  The McCarthy trials and the Watergate affair have already been made into acclaimed films; the recent phone hacking scandal at the News of the World may be next.  We must learn from these cautionary tales.  As argued passionately at the end of Good Night and Good Luck, if “this instrument is good for nothing but to entertain, amuse and insulate… it is merely wires and lights in a box.”


Unconstitutional

The implementing legislation for the Data Retention Directive has been held to be unconstitutional in many states across Europe, including Austria, Belgium, Germany, Greece Romania and Sweden. However, out of these only Romania has ruled that blanket data retention per se is indefensible. Others have focused on issues such as use, access and the length of data retention. In Germany for example, 6 months was held to be the upper limit of what could be deemed an acceptable period of retention.

Merits of Data Retention

In the evaluation report, the EU Commission referred to several incidents in which traffic or location data had apparently proved valuable to an investigation: in Belgium location data was used to show complicity in a tiger kidnapping; in Hungary and Poland traffic data was used to investigate a fraud against elderly persons conducted over the telephone; in Germany it was used to identify the murderer of a police officer - when the assailant escaped in the victim’s car, which he then abandoned, he telephoned for alternative means of transport; Czech “Operation Vilma” into a network exchanging child abuse content would allegedly have been “impossible” without traffic data. 

The EDPS also appeared to accept that there may be some possible value in data retention in specific cases and under very strict conditions (para 80 of the Opinion). However, he urged the EU Commission to obtain further, more robust evidence and to examine all the options including repeal of the Directive or replacement by a more targeted law.

Alternatives

There is an alternative to mandatory data retention as a method of investigation, namely data preservation - also known as “Quick Freeze”. This is where once an individual suspect is identified their data is preserved as from the date of the court order. Recently, a species of data preservation, known as “Quick Freeze Plus”, has been developed. This model goes beyond Quick Freeze in that a judge may also grant access to any data voluntarily retained prior to the order and which has not yet been deleted by the operators. It may additionally include a limited obligation on telecom companies to retain data in respect of users who have a flat-rate subscription (where there is usually no need to store data for billing purposes).

In the EU, countries such as Germany, Austria, Belgium and Sweden are using data preservation and other targeted methods in investigating crime. It is the only method envisaged under the Cybercrime Convention.


Consistency

Assuming that the EU listens to reason and carries out a more thorough evaluation of data retention, this should generate more sensible evidence which should in turn dictate which investigative tool we ultimately opt for. However, any solution will need to be applied consistently.  The Data Retention Directive for example only applies to telecom providers, to the exclusion of other internet companies such as search engines. At the moment, voluntary retention by such internet companies has been left largely unhindered.

Search engines and social media websites retain much more meaningful data (i.e. content data, as opposed to mere traffic, location or subscription data) and for relatively longer periods of time; in addition, they willingly comply with requests for information from law enforcement authorities, without any judicial oversight or legal guidelines. If we are worried about data retention we need consistent regulations and practices across the board – covering not only telcos, but other internet and data gathering companies.

By the same token, if the evidence strongly suggests that there is significant value in retaining data, we should adopt a coherent strategy. For example, we may wish to stay away from Quick Freeze Plus, which may be an unsatisfactory halfway house with a contradictory outcome, as on the one hand it concedes value in data retention, but on the other hand implies that such retention would be entirely voluntary, with the result that any records retained by telecoms providers might be entirely ad hoc and patchy. Under this option, if investigators needed to dig into past records, it would be something of a lottery whether the data was there or not.  If data retention really is essential (and that must be demonstrated by clear and cogent evidence), it should be made mandatory, but with strict limits on the period of retention, access and use in order to safeguard privacy.

The way forward

We will have to see how things shape up over the next few months. Currently, the Commission is in consultation with law enforcement authorities, the judiciary, industry and consumer groups, data protection bodies and civil society organisations to discuss the way forward. A proposal for a revised Directive is expected by the end of this year. The hope is for clear evidence that can stand up to scrutiny and a rational approach built on such evidence.  If we favour retention without justification, monitoring without limits and disclosure without cause, then we have failed to learn the lessons told to us by von Donnersmarck, Woodward, Bernstein, Clooney et al.

Manijeh Khan is a Commercial, IT & IP lawyer

Read more Comments (2)

How the Government turned anti social media

Loz Kaye responds to David Cameron's potential idea of a social media block in 'emergencies'

By Loz Kaye on Aug 15, 2011. Comments (1)

CC-AT-SA Flickr: worldeconomicforum

We have all been shocked by the scenes of arson, looting and violence on the streets of our country over recent days. Living as I do in central Manchester, I have been touched by it too. The night of the riots here was a night of helicopters and sirens, from my flat I saw people chased by police vans through the local retail estate.

The awful events have left everyone searching for answers as to the causes of the disturbances and what we do next. Sadly, politicians back from their holidays have skipped the how, what, why - the facts part of the debate - and rushed straight to the blame game. In a depressingly familiar pattern, technology is being made a scapegoat. This time it is social media and services such as Blackberry Messenger that are in the frame.

The Prime Minister’s statement on the riots to a recalled House of Commons was short on real substance, but it did include the following:

“Free flow of information can be used for good. But it can also be used for ill. And when people are using social media for violence we need to stop them.... we are working with the Police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality."

This is a dangerous kneejerk reaction, which is unwarranted and has real potential to harm freedom of speech in the United Kingdom.

The wording of David Cameron’s speech is very careful, to try and make it impossible to raise objections. It seeks to focus on individuals and violence. To start with, this ignores that there are already powers to deal with the intention of this statement. This area is covered for example by the Regulation of Investigatory Powers Act 2000 (RIPA) and the Communications Act 2003. In practice, media lawyer Steve Kuncewicz has pointed out: “We have seen [communication] bans handed out as part of ASBOs previously, as well as bans from contacting other users in harassment cases...”. 

There is of course a very high profile case of an individual being prosecuted for supposed “menace” on a social network - Paul Chambers in the infamous “Twitter Joke Trial”.  Even those who thought the prosecution was justified must recognise the facts that there was no bomb, and crucially in light of the current debate, there was no panic or riot at Robin Hood airport. The waste of police time and money on this affair appears more ridiculous than ever. But it also shows how blameless individuals can be caught up in the scramble to appear tough on crime or terrorism, by cracking down on the internet.

If the PM’s office is at least aware of the existing powers, perhaps this is just another empty exercise in keeping the Tory backbenchers happy by appearing to do something that will in fact be ditched quietly when Mr Cameron is back from his second summer holiday. After all, the impossibility of what is being proposed is self evident to people with even a casual knowledge of technology or social media. All too often I can’t help thinking that that our policy is being made by leaders that seem to believe programmes like Spooks are real life. There is no immediate Facebook death ray that will take out individual plotters from the web at a time of crisis.

If this is more than an exercise in spin, surely the coalition is seeking to go further than current law already permits.

To go further is to ask for wider blanket powers of web and telecommunications blocking. To hide it in the language of stopping plotters is disingenuous. That the proposals have been understood as calling for the ability to take action such as “turning off Twitter” is evident by the reaction.

One striking example was Louise Mensch MP’s appearance on Sky TV. That she seems to think it is possible to target individual hashtags in some meaningful way was rightly greeted with people banging their heads on their desks throughout the land. But to just dismiss her views as ill informed would be a real mistake. She is on the Culture, Media and Sport Select Committee after all. She states it would be acceptable to turn twitter off for “half an hour or an hour”. We now have people we should trust to guard our democracy who think curtailing freedom of speech has the same status as “a brief road or rail closure”.

It is a mark of how far we have lurched towards authoritarianism that we even need to look at how nonsensical so much of the comment on this issue has been. If young people - and from the court reports - estate agents, teachers and parents, really think so little of their communities that they are prepared to smash and burn for a pair of shorts they will find a way with or without Blackberry Messenger. As Sam Biddle put it in Gizmodo: “window-smashing pedestrians didn't stumble upon Twitter and think, My God, we could use this to organize a bloody great riot!” 

Even if the government takes the view that freedom of speech needs to be suppressed in the name of national security, what is being proposed does not solve the problem of rioting and looting anyway. By the time enough evidence could have been amassed to warrant some kind of shut down, the damage would have been done. Incidents took place over the course of hours - not the half an hour or an hour that Mensch refers to. So surely that leaves us in a place where MPs of her view will be asking for blocks of several hours. Or days.

It is typical of this Government’s approach to set out an unfeasible course of action, then expect others to implement it - in this case “the police, the intelligence services and industry “. It turns the police into passive observers and reactors, rather active participants working in a proportionate manner with communities. It was this that restored calm to our streets - not squaddies, bullets, or water cannon - and certainly not censorship. We need to look at root causes, not blame channels of communication.

The simplistic demonisation of certain communication channels from various quarters has contributed to the pressure on the Government. The Deputy Assistant Commissioner of the Metropolitan Police, Steve Kavanagh blamed Twitter for fuelling the riots with “inflammatory” and “inaccurate” messages. At one point the Sun was frothing about the “twitter rioters”. All of this bears only the faintest relation to evidence. The Mail, in their utterly imitable style, even managed to link BBM to their obsession with real estate. In the quest to find “an electronic ‘master key’” to turn off “sinister” technology, they observed RIM co-chief executive Mike Lazaridis “was also unavailable for comment at his glass-walled mansion.”

Parliament has learnt nothing from “Hackgate”. In the wake of the News International scandal there was a widespread hope that the main parties had thrown off their fear of the tabloids and had gained new purpose and moral fibre. All too soon it has been business as usual, with politicians bounced into populist positions with no proper justification.

There is a wider context to these calls for communication curbs - the creeping censorship agenda that groups like the Pirate Party and ORG have been highlighting. Just a few weeks before these events, I warned that the judgement requiring BT to block Newzbin2 set the precedent for further restrictions. ORG’s Peter Bradwell said on the same case that "website blocking is pointless and dangerous.” Even with my pretty jaded view I did not think we would be proved right so soon. This has always been the core point of those of us defending digital rights. It is not about free stuff - it is about free speech.

We have seen some of the worst sides of human nature during and in the wake of these riots. Thankfully we have seen some of the best sides of Britain too. And a lot of that has been thanks to social media. The speed at which hundreds were mobilised by the #riotcleanup hashtag was impressive. Even while the police vans were racing past my flat, @RiotCleanUpManc was planning for the next day, which they couldn’t have done if they had been restricted.

As it happened, when it came down to it, most of the graft had already been done by dedicated public sector workers, but the symbolic value was vital as well. The image of brooms held up flashed through the web- a sign of peaceful, positive defiance. A true demonstration of the strength of a free internet.

These have been testing times for our liberal democracy. To share information is vital for active participation in our society. If we give in at the first push, our society is neither liberal, nor democratic.

Loz Kaye - Leader Pirate Party UK

Read more Comments (1)

Web blocking rears its ugly head

Milena Popova assesses the impact from the Newzbin ruling

By Milena Popova on Aug 05, 2011. Comments (1)

CC-AT Flickr: say_cheddar

Reading the headlines Wednesday morning, you could be forgiven for thinking that one of the long hard battles the Open Rights Group has been fighting for the last couple of years - the one on the web blocking provisions in Sections 17 and 18 of the of the Digital Economy Act 2010 - had been won. "Government scraps plans to block illegal filesharing websites”, proclaimed the Guardian, with similar headlines on BBC News and other outlets. The reports referred to comments made by Business Secretary Vince Cable in the wider context of his response to the Hargreaves Review.

Once you look at the specific comments made by Mr Cable and the timing of this announcement, however, things seem a little less rosy. The sudden change of heart comes less than a week after the first web blocking injunction on copyright infringement grounds was granted in the UK by a High Court judge. The Newzbin2 case is a landmark ruling, asking BT to use Cleanfeed software (normally used to block child pornography websites) to block access to Newzbin2 a popular website which enables filesharing based on the Usenet platform.

What is really important in the Newzbin case is that the injunction is granted not based on the Digital Economy Act 2010 (the relevant web blocking sections of which will now most likely never be implemented), but based on Section 97A of the Copyright, Designs and Patents Act 1988. Section 97A, in turn, is the UK implementation of a European Union Directive on E-Commerce. The reach of Section 97A is substantial: it gives the High Court the power

 

to grant an injunction against a service provider, where that service provider has actual knowledge of another person using their service to infringe copyright.

The terms of reference here are extremely broad with few clarifications or restrictions. Pretty much the only qualification are the words “actual knowledge”. Reading the full ruling in the Newzbin2 case, it quickly becomes apparent that Mr Justice Arnold, by ruling in favour of the Motion Picture Association, has taken the broadest possible interpretation of Section 97A.

One wonders, at this point, why the MPA is bothering with Newzbin in particular - they are a private members-only service with very limited reach, using a fairly obscure technology. The material damage, if any, they are doing to the film industry is exremely limited, particularly compared to other filesharing services. There are some other good questions around the way the MPA have gone about this, eloquently raised by Alison Wheeler; notably, why the target here is BT rather than, say, Newzbin’s overseas ISP wherever the servers are hosted.

Here is one theory: Newzbin is an easy target for a test case. There was already a pre-existing ruling stating that Newzbin1 - a practically identical service - was guilty of copyright infringement. Because the new incarnation of the site is hosted outside the UK, no legal measures can be taken against the site directly. From there it is a small step to see how much you can get away with in terms of web blocking under existing legislation (as opposed to the not-yet-implemented Sections 17 and 18 of the Digital Economy Act which at that point were in the process of being reviewed by Ofcom). What the Newzbin2 case therefore has done is open the gates to web blocking.

Back to the Business Secretary’s comments from Wednesday, we can see that he references Ofcom’s guidance on the implementation of web blocking under the Digital Economy Act (executive summary: unworkable). Speaking to the BBC, however, Mr Cable also suggested that “test cases” had played a part in the government’s decision to drop the implementation of Sections 17 and 18 of the Digital Economy Act. That comment, combined with the timing of the announcement, strongly hints at the Newzbin2 case.

Comparing Sections 17 and 18 of the Digital Economy Act and Section 97A of the Copyright, Designs and Patents Act, what strikes me is how restrictive the former seem compared to the latter. They speak of proportionate responses and infringement activities that have a “serious adverse effect on businesses or consumers” and explicitly state that in determining whether to grant an injunction the court must consider the importance of freedom of expression. No such formal safeguards are to be found in Section 97A. Ironically, BT’s counsel used Section 17 of the Digital Economy Act in their defense in the Newzbin2 case.

The Digital Economy Act continues to be a poor piece of legislation, and to an extent the announcement that Sections 17 and 18 will not be implemented comes as a relief. However, given the context of the Newzbin ruling and the opening of the door to web blocking based on existing legislation which is much broader, I wonder if a year from now we will look back and wish we had Sections 17 and 18 instead.

Milena is an economics & politics graduate, an IT manager, and a campaigner for digital rights, electoral reform and women's rights. She tweets as @elmyra

Read more Comments (1)

On the horizon: a parody exception to copyright?

Jag Bahra on why allowing parodies of protected works is an important step towards a more balanced and sensible law of copyright.

By Jagdeep Bahra on Aug 03, 2011. Comments (0)

Weird Al Yankovic. Photo by watsonsinelgin CC BY-NC-SA 2.0

This morning Business Secretary Vince Cable announced how the Government proposes to respond to the Hargreaves Review of Intellectual Property.  He announced support for all 10 recommendations in the Hargreaves Review, including for 'exceptions' such as the long overdue legalisation of format shifting and moves to make data-mining for scientific research legal. We may also at last be given an exception to copyright for works of parody.  Such an exception was recommended in both the Hargreaves (2011) and Gowers (2006) reviews. This article takes a look at the case for parody and some international examples of where such an exception is already in place. 

It is little wonder that parody is such a controversial copyright subject.  A parody mocks an existing film, song, book or other work – by borrowing its most distinctive and recognisable parts.  On the face of it this would be at odds with copyright law, which stops others from making any copy or adaptation of a protected work- or any substantial part of it. 

Under the current law we have a doctrine of ‘fair dealing’, which is limited to the purposes of criticism and review.  Any use must include sufficient acknowledgment of the original.  This is clearly not suitable for parodical works. 

Interestingly, in the early 20th Century the Courts were willing to allow some room for parodies.  For example see Glyn v Weston Films (1916) and Joy Music v Sunday Pictorial Papers (1920).  However in more recent cases the Courts have gone against this precedent, asserting the only issue to consider is whether a substantial amount of the original work has been copied. 

And herein lies the fundamental problem for parodists.  Any parody must necessarily appropriate and transform significant portions of the original work in order for it to make sense.  As the copying of any substantial part (i.e. anything that is not de minimis) of a work is an infringement of copyright, it is difficult to see how any parody will not automatically be infringing.  

The case for allowing parodies is strong.  Parody is often the most effective way to criticise.  There has been recent controversy surrounding a video produced by Greenpeace, which parodied Volkswagen’s popular ‘little Darth Vader’ advert.  Greenpeace’s video uses the same theme and imagery, but instead frames Volkswagen as the evil Galactic Empire, intent on destroying Earth with its VW-branded Death Star.  The motivation behind this is that Volkswagen is opposing a piece of European legislation imposing limits on CO2 emissions and that the company’s claims of ‘eco-friendliness’ are a dishonest front. 

In this case it is clear that the parody had been made purely for the purposes of legitimate criticism.  Of course, it aimed to bring Volkswagen’s activities into question in the minds of the public, but this is perfectly lawful - no actionable harm was caused.  No consumers would become confused and think that the video was actually produced by Volkswagen.  The market for the original advert was not harmed.  Greenpeace did not aim to gain financially from their video.  All of these factors point towards the inevitable conclusion that parody should be allowed to exist within the copyright framework.

Greenpeace’s video was removed from Youtube after a generic copyright complaint from Lucasfilm, but has since returned.  Thankfully the matter comes under US jurisdiction and is therefore protected under fair use, as Greenpeace asserted.  The Fair Use doctrine is enshrined in the US Copyright Act, and is further-reaching than our own fair dealing provisions.  It states that “the fair use of a copyrighted work…for purposes such as criticism, comment, news reporting, teaching… scholarship, or research, is not an infringement of copyright.”  When considering whether a use is ‘fair’ the Court must consider the following four statutory factors:

(1)    the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
(2)    the nature of the copyrighted work;
(3)    the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
(4)    the effect of the use upon the potential market for or value of the copyrighted work.

It is important to note the wording of this provision - this is a non-exhaustive list, and leaves a wide scope for potentially fair uses, including parody.  The open-ended nature of fair use requires a case-by-case approach, examined by the Courts, rather than a statutory, bright-line test.  This approach was exemplified in the now legendary case of Campbell v Acuff-Rose Music (1994), which concerned the notorious hip hop outfit 2 Live Crew and their explicit take on Roy Orbison’s soppy ballad “Pretty Woman”.  The Supreme Court ruled that parody constituted fair use, recognising that the taking of the central elements of the original work was not only permissible, but essential in works of parody.

Parody exceptions exist in a number of European jurisdictions, including France, Germany, Spain and Sweden – although each operates slightly differently.  French law allows exceptions for parody, pastiche and caricature, “taking into account the usage of the genre”.  In order to qualify, the parody must have been intended to be humorous in nature and there must be no risk of confusion with the original work.  A parody has even been held to defeat both the author’s right to make adaptations and the author’s moral right to integrity (the case concerned well-known cartoon characters depicted in obscene situations.  In Germany and Sweden parody exceptions have been carved out by the Courts rather than in statute, but exist nonetheless.

The Australian Copyright Amendment Act 2006 introduced a fair use exception for the purposes of parody and satire, along with format-shifting and time-shifting.  When determining whether the use is fair, the Courts must consider all the circumstances of the case including the nature of the work; the nature of the use; and any effect on the commercial market for the original work.

In 2008 the New Zealand Government launched a consultation into whether a parody exception should be introduced.  This was unfortunately shelved due to a general election but another review is scheduled for 2013 and it is thought that the issue will return then. 

There is, frankly, not much of an argument to be made against allowing a parody exception to copyright.  By allowing parodies to exist, copyright owners do not actually suffer.  It would be ridiculous to suggest that authors, musicians and filmmakers are somehow worse off in jurisdictions which allow parody, for fear that someone might decide to change the lyrics of one of their songs to fulfil a different purpose and upload it to Youtube.  

Parodies, essentially by definition, do not compete with the original work in the market but co-exist, often appealing to a different demographic.  There are countless examples of parody creating works of value – take for example Weird Al Yankovic, who has made a successful career for himself by parodying the works of others to great effect.  Parody may even sometimes add value to the original work. For example, rapper Chamilionaire actually attributes the success of his song “Ridin’ Dirty” to Yankovic’s parody “White and Nerdy”.  What parody does is mock or criticise constructively – the law should be facilitating these legitimate aims, not preventing them.  

Some may be concerned that allowing parody would be a dangerous move that opens the floodgates for bogus works that free-ride on original works of merit, purporting to be parodies, satires or caricature.  However it is important to remember that this will be a specific exception for parody, not a US-style, non-exhaustive doctrine of fair use.  Indeed, Professor Hargreaves concluded explicitly that a fair use doctrine should not be adopted in the UK.  Any exception would need to be carefully framed such that relevant factors are taken into account.

Some may claim that we simply “don’t need” a parody exception, as if it is really not that important.  This is a cynical and perhaps simplistic view.  As already discussed, parody is an effective method of criticism.  In the age of online activism and digital media campaigning it will become crucial.  Allowing corporations to silence criticism using intellectual property laws is simply not on.  The Greenpeace vs Volkswagen saga is just one example of parody being put to work in this way, and I suspect over the coming years many more examples will appear. 

Allowing parody of protected works will be an important step towards a more balanced and sensible law of copyright.  To sit back and do nothing now will be to deny artists, creators and activists alike a powerful tool of communication.  Nothing happened after the Gowers Review in 2006 - let’s not miss out on this opportunity again.

Jag Bahra is a law graduate, civil liberties & copyleft enthusiast.

Consumer Focus have produced a briefing on parody here.

Read more Comments (0)